You are not logged in.

#1 2013-01-12 13:28:30

Xaero252
Member
Registered: 2011-11-28
Posts: 107

Limited remote administration

I'm not sure how to appropriately title this, nor how to approach it.
Basically the situation is like so:
I have a server, which is host to a variety of services; from httpd, to remote gui's for specific tasks on the server; I have remote and local access to all of this, and all of the information stored on the server, including client files, server configuration, and super user.
I have a partner, who only needs access to specific portions of the server.
For example,
My partner needs to be able to access /srv/folder/, preferably as his home directory, though not a gotcha really. This person also needs to be able to remotely execute specific commands, within the scope of the services he requires access to, i.e. sudo systemctl start/stop/restart service
I know I can easily limit him via sudoers by creating a new group, and telling sudo to allow users of said group to execute the above commands.
However, how can I limit the scope of the filesystem he is able to access, I don't want him having access to anything outside of /srv/folder, other than potentially a home folder with limited storage.
Furthermore, how can I limit the availability of commands, for example, lets say he shouldn't need more than:
cp
mv
rm
mkdir
ls
tmux
How can I restrict access to this level?

Most of the access will be via ssh obviously.

Mostly, this is to avoid as much potential human error as possible. I trust myself with the server, but I'm not sure I trust the expertise of my colleague, as Linux is somewhat foreign to him. Backup systems are in place, and everything is redundant, but I shouldn't need to rely on backups, and training shouldn't take place on a live system.

Offline

#2 2013-01-12 14:52:26

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Limited remote administration

Not sure you can do this easily... is what you're asking:

1) limit users to /src/folder and $HOME
2) limit users to a specific set of stuff under for example /usr/bin

?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#3 2013-01-12 23:08:18

Xaero252
Member
Registered: 2011-11-28
Posts: 107

Re: Limited remote administration

Effectively, yes.
I don't want them able to browse around system files and such freely, nor modify them or use them.
A small set of applications under /usr/bin and a quota'd $HOME as well as access to /srv/folder (multiple occurences here, but not all /srv directories)
I didn't figure it would be horrendously easy either... maybe it would be possible by aliasing all `unavailable` commands to
echo "This user is not permitted to use that command."
or something along those lines.

I've done some reading, and aside from what I suggested above, it seems the only other possible routes are a chroot jail and similar other options. I may try the chroot option and see if that jails him well enough to $home, and then see about making $HOME /srv/, and then explicitly add this user to a restricted group, which will only have r/w access to particular directories. Then, by limiting the restricted group to only execute specific commands via sudoers, I think it should effectively accomplish preventing any uneccesary damage.

Last edited by Xaero252 (2013-01-12 23:17:48)

Offline

#4 2013-01-13 00:41:27

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Limited remote administration

The only thing that come to mind right away is to use the chroot function of ssh[d] and then a crap load of hardlinks to create a bare bone "system" under that chrooted directory.  It sounds like a whole hell of a lot of work tbh.

Why not just give him access to the full system in terms of readability, but only allow his "sudo-bility" to be able to issue those specific commands.  If you trust this individual with the data itself, just not the writing of the data (this I am totally not sure you are comfortable with), then I wouldn't see any harm in letting him have ro access to the filesystem for the sake of command access.

If you really think he only needs the very very basics like mv, cp, mkdir, rm, ls, etc, I think that this can actually be achieved by the sftp built in shell.  Normally in an sftp chroot, you would have to make sure commands are available within the chroot.  But if you use "Subsystem sftp internal-sftp" you can avoid all that, and it provides you with basic filesystem access that you desire.

Offline

#5 2013-01-13 03:15:49

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Limited remote administration

I'm puzzled about the risks you see in allowing the user read access, as well. Especially if it is just a question of the user not really knowing Linux. I'm just thinking about servers I've had access to at universities where basically everyone has had some sort of access. As a student I could wander around the file system (barring the usual restrictions, of course). [I found it really interesting to wander once I learnt how to.]

I'm especially curious: if rm is one of the commands you think it is safe to provide, what are you worried about exactly?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#6 2013-01-13 10:41:34

Xaero252
Member
Registered: 2011-11-28
Posts: 107

Re: Limited remote administration

Well, as I said the server runs and stores many things some of which are private data for personnel and customers, giving it more thought I can just deny read access from a few choice mount points and effectively eliminate risk of any personal rights violation, from there free reign can be had command wise with limited sudo capabilities, I will probably make this the normal permission level for secondary administrators, and leave full access to senior admins.
Also rm would be required for basic administration. I really just needed to limit the scope of files he had access to more than the commands. Basically I over thought the situation a bit.  If protection of confidential information is needed, removing access to the data is sufficient.

Last edited by Xaero252 (2013-01-13 10:47:22)

Offline

#7 2013-01-14 12:05:12

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Limited remote administration

AppArmor


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#8 2013-01-14 12:12:55

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,041

Re: Limited remote administration

GNU Rush (Restricted User Shell) does exactly what you want....

Last edited by jakobcreutzfeldt (2013-01-14 12:13:06)

Offline

#9 2013-01-14 12:41:43

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Limited remote administration

Xaero252 wrote:

I didn't figure it would be horrendously easy either... maybe it would be possible by aliasing all `unavailable` commands to
echo "This user is not permitted to use that command."
or something along those lines.

Hum, you know that would do the trick for that part... owe wait no. All the user would have to do is specify the full path like..

/usr/bin/java

OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#10 2013-01-14 22:07:21

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Limited remote administration

Or just put a backslash in front of the command...


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB